Iranian tankers, cargo vessels left adrift after major cyber breach

A hacker collective known as Lab-Dookhtegan (Sewn Lips) has claimed responsibility for a significant cyberattack that disrupted communications on more than 60 Iranian oil tankers and cargo vessels, severing critical links between the ships, their ports, and the outside world. This operation marks one of the largest cyber offensives targeting Iran’s maritime sector.

The group told  Iran International that it infiltrated the systems of two key state-affiliated companies: the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). This breach impacted 39 tankers and 25 cargo ships, effectively crippling their communication networks.

Lab-Dookhtegan explained that the hack was executed by penetrating Fanava Group, an Iranian IT and telecommunications holding company providing satellite communications, data storage, and payment systems essential for maritime operations.

They said they obtained “root-level” access to the Linux operating systems controlling the ships’ satellite terminals, allowing them to disable Falcon, the control software central to Iran’s maritime communications.

“Stopping Falcon means complete disconnection between the ships and shore,” the group said. The attack rendered both automatic identification system (AIS) tracking and satellite links inoperable, leaving the vessels isolated.

NITC and IRISL are pivotal to Iran’s heavily sanctioned economy. NITC, a subsidiary of the National Iranian Oil Company, operates one of the largest tanker fleets in the Middle East with more than 46 vessels, transporting Iranian crude worldwide, often turning off tracking systems to evade sanctions.

IRISL, with approximately 115 vessels, is Iran’s largest cargo operator and was ranked the world’s 14th biggest shipping line by Alphaliner in 2022. Many of its ships have been sanctioned by the US, EU, and UN for allegedly supporting Iran’s nuclear and missile programs. Both companies were sanctioned by the US Treasury in 2020 for aiding the Islamic Revolutionary Guard Corps’ Quds Force.

This attack follows a similar incident in March 2025, when Lab-Dookhtegan disrupted communications on 116 vessels from the same firms, coinciding with US operations against Iran-backed Houthis in Yemen.

Western sanctions have curtailed Iran’s access to maritime technology and international ports, heightening vulnerability to cyber and physical threats.

Fanava Group, founded in 2003 and based in Tehran, has not responded to requests for comment.

The cyberattack arrives amid increasing global scrutiny of Iran’s maritime operations, with Western governments accusing Tehran of masking oil sales to China and supplying weapons to proxy groups like Hezbollah and the Houthis.

In a recent crackdown, the US Treasury sanctioned 13 companies and eight vessels linked to Iran’s oil exports, the department announced on August 21.

By Vafa Guliyeva